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5 CLAIMS 

What is claimed is: 

1 . A system for controlling communications over a computer network, the system 
comprising: 

access control devices for the computer network that control communications between 
1 0 compartments of the computer network; 

attack detection system for determining whether the computer network may be under 
attack; and 

a control plane for instructing the access control devices to allow network 

communications between the compartments of the computer network based on a 
15 usage model describing legitimate network communications while restricting 

other network communications between the compartments, in response to attack 

2. A system as claimed in claim 1, wherein the computer network is an enterprise 
network. 

3. A system as claimed in claim 1, wherein the computer network is a service provider 
20 network. 

4. A system as claimed in claim 1, wherein the computer network is a public network. 

5. A system as claimed in claim 1 5 wherein the access control devices compartmentalize 
the computer network into separate sub-networks of network devices. 

6. A system as claimed in claim 1, wherein the access control devices separate host 
2 5 computers from the computer network. 

7. A system as claimed in claim 1, further comprising a network modeling system for 
generating the usage model. 
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5 8. A system as claimed in claim 7, wherein the network modeling system receives flow 

information describing communications between network devices. 

9. A system as claimed in claim 8 5 wherein the flow information is collected by network 
communications devices. 

10. A system as claimed in claim 8, wherein the flow information is collected by the 
10 access control devices. 

1 1 . A system as claimed in claim 8, wherein the network modeling system discards flow 
information between network devices in the computer network and network devices 
external to the computer network. 

12. A system as claimed in claim 7, wherein the network modeling system compares new 
15 network communications to the usage model and updates the usage model if the new 

network communications are not described by the usage model. 

13. A system as claimed in claim 1, wherein entries in the usage model comprise source 
addresses, destination addresses, source ports, and destination ports derived from the 
network communications. 

20 14. A system as claimed in claim 1, wherein entries in the usage model comprise source 

addresses, destination addresses, source ports, and destination ports derived from the 
network communications in addition to time stamp information indicating when the 
network communication was last detected. 

15. A system as claimed in claim 1, wherein entries in the usage model comprise source 
25 addresses, destination addresses, source ports, and destination ports derived from the 

network communications in addition to frequency information indicating a frequency of 
the network communication. 
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5 16. A system as claimed in claim 1, wherein the attack detection system monitors 

communications over the computer network for attack using signature detection. 

17. A system as claimed in claim 1, wherein the attack detection system performs 
heuristic modeling to determine whether the computer network is under attack. 

18. A system as claimed in claim 1, wherein the attack detection system monitors 
10 communications over the computer network for attack by monitoring changes in 

connections between network devices. 

19. A system as claimed in claim 1, wherein the control plane receives protocol 
information and/or port information characteristic of the attack and generates pass and/or 
blocking rules for the access control devices. 

15 20. A system as claimed in claim 1, wherein the control plane receives protocol 

information and/or port information characteristic of the attack and generates pass rules 
and blocking rules for the access control devices, in which the pass rules are generated 
from the usage model and the blocking rules are generated from the protocol information 
and/or port information characteristic of the attack. 

20 2 1 . A method for responding to an attack on a computer network, the method 

comprising: 

generating a usage model for the computer network; 
determining whether the computer network may be under attack; 
in response to detecting attack, determining characteristics of the attack; and 
25 generating instructions to access control devices compartmentalizing the computer 

network in response to the characteristics of the attack. 
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22. A method as claimed in claim 21, wherein the step of generating the usage model 
comprises saving records describing network communications to and from network 
devices on the computer network. 

23. A method as claimed in claim 21, wherein the step of generating the usage model 
comprises saving records describing network communications between network devices 
on the computer network. 

24. A method as claimed in claim 2 1 , wherein the step of generating the usage model 
comprises saving records that include port, protocol, source address and destination 
address of network communications to and from network devices on the computer 
network. 

25. A method as claimed in claim 21 , further comprising the step of the access control 
device compartmentalizing the computer network into separate sub-networks of network 
devices. 

26. A method as claimed in claim 21, further comprising the step of the access control 
device compartmentalizing the computer network by separating host computers from the 
computer network. 

27. A method as claimed in claim 21, wherein the step of generating a usage model 
comprises: 

collecting flow information at network communications devices; and 
passing the flow information to a network modeling system. 

28. A method as claimed in claim 27, wherein the step of collecting flow information is 
performed by the access control devices. 
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29. A method as claimed in claim 21, wherein the step of generating a usage model 
comprises comparing network communications to the usage model and updating the 
usage model if the network communications are not described by the usage model. 

30. A method as claimed in claim 21 , wherein the step of determining whether the 
computer network may be under attack comprises monitoring network communications 
for attack signatures. 

3 1 . A method as claimed in claim 21 , wherein the step of determining whether the 
computer network may be under attack comprises performing heuristic modeling to 
determine whether the computer network is under attack. 

32. A method as claimed in claim 21, wherein the step of determining whether the 
computer network may be under attack comprises monitoring changes in connections 
between network devices. 

33. A method as claimed in claim 21, wherein the step of generating instructions to the 
access control devices comprises formulating pass and/or blocking rules for the access 
control devices in response to protocol characteristics and/or port characteristic of the 
attack. 

34. A method as claimed in claim 21 , wherein the step of generating instructions to the 
access control devices comprises formulating generating pass rules and blocking rules for 
the access control devices, in which the pass rules are generated from the usage model 
and the blocking rules are generated from protocol and/or port characteristics of the 
attack. 
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